Skip to content

Commit

Permalink
Add NSG rules for VXLAN to windows template
Browse files Browse the repository at this point in the history
  • Loading branch information
@joekr
joekr committed Mar 8, 2023
1 parent 72c5fb8 commit d088853
Showing 1 changed file with 286 additions and 0 deletions.
286 changes: 286 additions & 0 deletions templates/cluster-template-windows-calico.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,292 @@ metadata:
name: "${CLUSTER_NAME}"
spec:
compartmentId: "${OCI_COMPARTMENT_ID}"
networkSpec:
vcn:
name: ${CLUSTER_NAME}
cidr: "10.0.0.0/16"
networkSecurityGroups:
- name: control-plane-endpoint
role: control-plane-endpoint
egressRules:
- egressRule:
isStateless: false
destination: "10.0.0.0/29"
protocol: "6"
destinationType: "CIDR_BLOCK"
description: "Kubernetes API traffic to Control Plane"
tcpOptions:
destinationPortRange:
max: 6443
min: 6443
ingressRules:
- ingressRule:
isStateless: false
source: "0.0.0.0/0"
protocol: "6"
sourceType: "CIDR_BLOCK"
description: "External access to Kubernetes API endpoint"
tcpOptions:
destinationPortRange:
max: 6443
min: 6443
- ingressRule:
isStateless: false
source: "10.0.0.0/16"
protocol: "1"
sourceType: "CIDR_BLOCK"
description: "Path discovery"
icmpOptions:
code: 4
type: 3
- name: control-plane
role: control-plane
egressRules:
- egressRule:
isStateless: false
destination: "0.0.0.0/0"
protocol: "all"
destinationType: "CIDR_BLOCK"
description: "Control Plane access to Internet"
ingressRules:
- ingressRule:
isStateless: false
source: "10.0.0.8/29"
protocol: "6"
sourceType: "CIDR_BLOCK"
description: "Kubernetes API endpoint to Control Plane(apiserver port)"
tcpOptions:
destinationPortRange:
max: 6443
min: 6443
- ingressRule:
isStateless: false
source: "10.0.0.0/29"
protocol: "6"
sourceType: "CIDR_BLOCK"
description: "Control plane node to Control Plane(apiserver port) communication"
tcpOptions:
destinationPortRange:
max: 6443
min: 6443
- ingressRule:
isStateless: false
source: "10.0.64.0/20"
protocol: "6"
sourceType: "CIDR_BLOCK"
description: "Worker Node to Control Plane(apiserver port) communication"
tcpOptions:
destinationPortRange:
max: 6443
min: 6443
- ingressRule:
isStateless: false
source: "10.0.0.0/29"
protocol: "6"
sourceType: "CIDR_BLOCK"
description: "etcd client communication"
tcpOptions:
destinationPortRange:
max: 2379
min: 2379
- ingressRule:
isStateless: false
source: "10.0.0.0/29"
protocol: "6"
sourceType: "CIDR_BLOCK"
description: "etcd peer"
tcpOptions:
destinationPortRange:
max: 2380
min: 2380
- ingressRule:
isStateless: false
source: "10.0.0.0/16"
protocol: "1"
sourceType: "CIDR_BLOCK"
description: "Path discovery"
icmpOptions:
code: 4
type: 3
- ingressRule:
isStateless: false
source: "0.0.0.0/0"
protocol: "6"
sourceType: "CIDR_BLOCK"
description: "Inbound SSH traffic to Control Plane"
tcpOptions:
destinationPortRange:
max: 22
min: 22
- ingressRule:
isStateless: false
source: "10.0.0.0/29"
protocol: "6"
sourceType: "CIDR_BLOCK"
description: "Control Plane to Control Plane Kubelet Communication"
tcpOptions:
destinationPortRange:
max: 10250
min: 10250
- ingressRule:
isStateless: false
source: "10.0.64.0/20"
protocol: "17"
sourceType: "CIDR_BLOCK"
description: "Calico VXLAN"
udpOptions:
destinationPortRange:
max: 4789
min: 4789
- ingressRule:
isStateless: false
source: "10.0.0.0/29"
protocol: "17"
sourceType: "CIDR_BLOCK"
description: "Calico VXLAN"
udpOptions:
destinationPortRange:
max: 4789
min: 4789
- name: worker
role: worker
egressRules:
- egressRule:
isStateless: false
destination: "0.0.0.0/0"
protocol: "all"
destinationType: "CIDR_BLOCK"
description: "Worker node access to Internet"
ingressRules:
- ingressRule:
isStateless: false
source: "0.0.0.0/0"
protocol: "6"
sourceType: "CIDR_BLOCK"
description: "Inbound SSH traffic to worker node"
tcpOptions:
destinationPortRange:
max: 22
min: 22
- ingressRule:
isStateless: false
source: "10.0.0.0/16"
protocol: "1"
sourceType: "CIDR_BLOCK"
description: "Path discovery"
icmpOptions:
code: 4
type: 3
- ingressRule:
isStateless: false
source: "10.0.0.0/29"
protocol: "6"
sourceType: "CIDR_BLOCK"
description: "Control Plane to worker node Kubelet Communication"
tcpOptions:
destinationPortRange:
max: 10250
min: 10250
- ingressRule:
isStateless: false
source: "10.0.64.0/20"
protocol: "6"
sourceType: "CIDR_BLOCK"
description: "Worker node to worker node Kubelet Communication"
tcpOptions:
destinationPortRange:
max: 10250
min: 10250
- ingressRule:
isStateless: false
source: "10.0.64.0/20"
protocol: "6"
sourceType: "CIDR_BLOCK"
description: "Worker node to default NodePort ingress communication"
tcpOptions:
destinationPortRange:
max: 32767
min: 30000
- ingressRule:
isStateless: false
source: "10.0.64.0/20"
protocol: "17"
sourceType: "CIDR_BLOCK"
description: "Calico VXLAN"
udpOptions:
destinationPortRange:
max: 4789
min: 4789
- ingressRule:
isStateless: false
source: "10.0.0.0/29"
protocol: "17"
sourceType: "CIDR_BLOCK"
description: "Calico VXLAN"
udpOptions:
destinationPortRange:
max: 4789
min: 4789
- name: service-lb
role: service-lb
egressRules:
- egressRule:
isStateless: false
destination: "10.0.64.0/20"
protocol: "6"
destinationType: "CIDR_BLOCK"
description: "Service LoadBalancer to default NodePort egress communication"
tcpOptions:
destinationPortRange:
max: 32767
min: 30000
ingressRules:
- ingressRule:
isStateless: false
source: "10.0.0.0/16"
protocol: "1"
sourceType: "CIDR_BLOCK"
description: "Path discovery"
icmpOptions:
code: 4
type: 3
- ingressRule:
isStateless: false
source: "0.0.0.0/0"
protocol: "6"
sourceType: "CIDR_BLOCK"
description: "Accept http traffic on port 80"
tcpOptions:
destinationPortRange:
max: 80
min: 80
- ingressRule:
isStateless: false
source: "0.0.0.0/0"
protocol: "6"
sourceType: "CIDR_BLOCK"
description: "Accept http traffic on port 443"
tcpOptions:
destinationPortRange:
max: 443
min: 443
subnets:
- name: control-plane-endpoint
role: control-plane-endpoint
cidr: "10.0.0.8/29"
type: public
- name: control-plane
role: control-plane
cidr: "10.0.0.0/29"
type: private
- name: service-lb
role: service-lb
cidr: "10.0.0.32/27"
type: public
- name: worker
role: worker
cidr: "10.0.64.0/20"
type: private
---
kind: KubeadmControlPlane
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
Expand Down

0 comments on commit d088853

Please sign in to comment.